Security standards relating to communications between networks with different levels of security often impose conflicting constraints with requirements for interoperability between said networks, but also with required performance in terms of data transport.
By way of illustration, an internal corporate network is authorized to receive certain data from an external network, but no datum from the internal network may be transmitted in unencrypted form to the external network. Thus, for example, if two corporate networks communicating via an intermediate public network—for example, the Internet—wish to exchange confidential information, an encryption/decryption device is placed at the output of each of these corporate networks. All of the data are encrypted at the output of the transmitting corporate network, these data being decrypted by the receiving corporate network in such a way that no datum originating from a corporate network is transmitted in unencrypted form to the intermediate public network.
On the one hand, in order to be able to transfer data in the uplink direction, i.e. from the external network to the internal corporate network, in other words from a low-sensitivity network to a network with a higher sensitivity level, the data transport protocols generally require transmissions of data in the downlink direction, i.e. from the internal network to the external network. In fact, in addition to the useful data which are to be transported (set of data often referred to as the “user traffic plan”), there are also signaling and control data, inherent in the management of the data transport by the protocol, said data having to be transmitted at the same time in the uplink and the downlink directions. The signaling and control data, which exist notably for the IP (Internet Protocol) and Ethernet protocols, are for example, acknowledgements of receipt or priority markers in order to manage a quality of service during the data transmission sessions. On the other hand, the processing applied to the data (total encryption) is identical regardless of their type, which, in a context of development of multi-media communications channels combining voice, data or video, becomes more and more difficult.
Also, in order to benefit from certain basic services such as quality of service management, it is necessary to establish a two-way communications channel, encrypted or otherwise, authorizing the signaling and/or control data to be transmitted between the protected networks and the intermediate public network.
Moreover, the absence of means allowing data to be exchanged in a protected manner between networks with different levels of security also results in duplication of equipment and associated management resources. For example, each network must include a domain name server, a universal time server or any other type of service which is a priori non-confidential, but essential to its operation. Moreover, the diagnostics of the status of the public network cannot be carried out through the encryption/decryption devices. For example, it is impossible to send a signal to a public network indicating an incident which has occurred on the protected network, as a simple malfunction alarm, which is intrinsically non-confidential, cannot be transmitted from the protected network to a network with a lower level of protection.
An alternative solution consists in authorizing certain types of selected data to be transmitted in unencrypted form and without control via the public network, in other words, creating an additional communications channel for certain types of data. However, this solution entails risks, as an attacker is able to exploit this channel to cause information to leak from a protected network